X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/8937e5e2857ef1784e3a715878c9cd62d4022406..34115a34e0593e999b7a279e07293b090012082a:/doc/security.mdwn?ds=inline diff --git a/doc/security.mdwn b/doc/security.mdwn index c51cd5b95..d9e0f655b 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -47,6 +47,13 @@ Users with only web commit access are limited to editing pages as ikiwiki doesn't support file uploads from browsers (yet), so they can't exploit this. +It is possible to embed an image in a page edited over the web, by using +`img src="data:image/png;"`. Ikiwiki's htmlscrubber only allows `data:` +urls to be used for `image/*` mime types. It's possible that some broken +browser might ignore the mime type and if the data provided is not an +image, instead run it as javascript, or something evil like that. Hopefully +not many browsers are that broken. + ## multiple accessors of wiki directory If multiple people can directly write to the source directory ikiwiki is @@ -345,3 +352,13 @@ day with the release of ikiwiki 2.14. I recommend upgrading to this version if your wiki can be committed to by third parties. Alternatively, don't use a trailing slash in the srcdir, and avoid the (unusual) configurations that allow the security hole to be exploited. + +## javascript insertion via uris + +The htmlscrubber did not block javascript in uris. This was fixed by adding +a whitelist of valid uri types, which does not include javascript. + +This hole was discovered on 10 February 2008 and fixed the same day +with the release of ikiwiki 2.31.1. A fix was also backported to Debian etch, +as version 1.33.4. I recommend upgrading to one of these versions if your +wiki can be edited by third parties.